Surveying the Landscape of Actionscript Security
Total Page:16
File Type:pdf, Size:1020Kb
SURVEYING THE LANDSCAPE OF ACTIONSCRIPT SECURITY TRENDS AND THREATS by Dhiraj V. Karamchandani APPROVED BY SUPERVISORY COMMITTEE: Kevin W. Hamlen, Chair Balaji Raghavachari Bhavani Thuraisingham Copyright c 2013 Dhiraj V. Karamchandani All rights reserved This thesis is dedicated to my advisor Dr. Kevin W. Hamlen in whose eyes I read the definition of the term ‘research’, and to my dearest family members who have instilled in me the invaluable virtue of selflessness. SURVEYING THE LANDSCAPE OF ACTIONSCRIPT SECURITY TRENDS AND THREATS by DHIRAJ V. KARAMCHANDANI, BE THESIS Presented to the Faculty of The University of Texas at Dallas in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT DALLAS December 2013 ACKNOWLEDGMENTS The text of this thesis incorporates and extends joint work with Meera Sridhar and Dr. Kevin W. Hamlen, which has been submitted for publication and is currently under review. The author thanks both co-authors for their contributions to the study. This work was supported in part by the National Science Foundation under award #1065216. All opinions, findings, conclusions, or recommendations expressed are those of the author(s) and do not necessarily reflect those of the National Science Foundation. November 2013 v PREFACE This thesis was produced in accordance with guidelines which permit the inclusion as part of the thesis the text of an original paper or papers submitted for publication. The thesis must still conform to all other requirements explained in the “Guide for the Preparation of Master’s Theses and Doctoral Dissertations at The University of Texas at Dallas.” It must include a comprehensive abstract, a full introduction and literature review, and a final overall conclusion. Additional material (procedural and design data as well as descriptions of equipment) must be provided in sufficient detail to allow a clear and precise judgment to be made of the importance and originality of the research reported. It is acceptable for this thesis to include as chapters authentic copies of papers already published, provided these meet type size, margin, and legibility requirements. In such cases, connecting texts which provide logical bridges between different manuscripts are mandatory. Where the student is not the sole author of a manuscript, the student is required to make an explicit statement in the introductory material to that manuscript describing the student’s contribution to the work and acknowledging the contribution of the other author(s). The signatures of the Supervising Committee which precede all other material in the thesis attest to the accuracy of this statement. vi SURVEYING THE LANDSCAPE OF ACTIONSCRIPT SECURITY TRENDS AND THREATS Publication No. Dhiraj V. Karamchandani, MS The University of Texas at Dallas, 2013 Supervising Professor: Kevin W. Hamlen As one of the foremost scripting languages of the World Wide Web, Adobe’s ActionScript Flash platform now powers multimedia features for a significant percentage of all web sites. However, its popularity and complexity have also made it an attractive vehicle for myriad malware attacks over the past five years. Despite the perniciousness and severity of these threats, ActionScript has been relatively less studied in the scholarly security literature. To fill this void and stimulate future research, this thesis presents a systematic study of Flash security threats and trends, including an in-depth taxonomy of fifteen major Flash vulnerability and attack categories, a detailed investigation of 520 Common Vulnerability and Exposure (CVE) articles reported between 2008–2013, and an examination of what makes Flash security challenges unique. The results of these analyses provide researchers, web developers, and security analysts a better sense of this important attack space, and identify the need for stronger security practices and defenses for protecting users of these technologies. vii TABLE OF CONTENTS ACKNOWLEDGMENTS . v PREFACE . vi ABSTRACT . vii LIST OF FIGURES . x LIST OF TABLES . xi CHAPTER 1 INTRODUCTION . 1 CHAPTER 2 A TAXONOMY OF VULNERABILITIES AND ATTACKS . 5 2.1 Flash-based Phishing . .5 2.2 Flash-based Pharming and DNS Rebinding . .7 2.2.1 Flash-Based Pharming . .7 2.2.2 DNS Rebinding . .7 2.3 Flash-based Drive-by-Download and Drive-by-Cache . .8 2.4 Same-Origin Policy Abuse . 10 2.4.1 Same-origin Policy . 10 2.4.2 Case-study: Client-side Flash Proxies . 11 2.5 Attacks using ExternalInterface, URLRequest, and navigateToURL . 13 2.5.1 ExternalInterface Abuse . 13 2.5.2 URLRequest and navigateToURL Abuse . 14 2.6 Flash-based Cross-Site Scripting (XSS) . 15 2.7 Flash-based Cross-Site Request Forgery (CSRF) . 16 2.8 Flash-based Heap Spraying . 17 2.9 Flash-based JIT Spraying . 19 2.10 Obfuscation . 20 2.11 Type Confusion Exploitation . 22 2.12 Vulnerabilities in Flash Parser and Analysis Tools . 23 viii 2.13 JavaScript and HTML Script Injection . 25 2.14 Flash Parameter Injection . 26 2.15 Flash-based Malvertisements . 29 CHAPTER 3 ANALYSIS . 32 3.1 Scientic Research Survey Methodology . 32 3.2 CVE Collection and Investigation . 33 3.2.1 Total Flash-relevant CVEs Over the Years . 33 3.2.2 Flash-relevant Attack/Vulnerbility Trend Evolution Over the Years . 33 3.3 Classification Challenges . 36 3.3.1 Example 1: CVE-2013-0634 . 36 3.3.2 Example 2: CVE-2011-2836 . 36 3.3.3 Example 3: CVE-2011-0627 . 39 3.3.4 Example 4: CVE-2011-0578 . 40 3.3.5 Example 5: CVE-2012-3414 . 41 3.3.6 Example 6: CVE-2012-2399 . 41 3.3.7 Example 7: CVE-2012-3415 . 42 CHAPTER 4 RELATED SURVEYS . 46 CHAPTER 5 CONCLUSION AND FUTURE WORK . 47 REFERENCES . 48 VITA ix LIST OF FIGURES 2.1 Potentially dangerous ActionScript classes, methods, and properties . 16 2.2 HTML code with injection of Flash parameters using the Embedded URI method 27 3.1 Flash presence in the top six security publication venues in 2008–2013. 33 3.2 Number of Flash-relevant CVEs by Year from 2008–2013. 34 3.3 Evolution of Flash-relevant vulnerabilities and attacks between 2008-2013. 37 3.4 Evolution of Flash-relevant vulnerabilities and attacks between 2008-2013, in- cluding inferences. 38 3.5 Text of CVE-2013-0634 . 39 3.6 Text of CVE-2011-2836 . 39 3.7 Text of CVE-2011-0627 . 40 3.8 Text of CVE-2011-0578 . 41 3.9 Text of CVE-2012-3414 . 41 3.10 Text of CVE-2012-2399 . 42 3.11 Text of CVE-2012-3415 . 42 x LIST OF TABLES 3.1 CVE Classification Legend . 35 3.2 CWE Cross Section Mapped into by NVD [75]. 43 xi CHAPTER 1 INTRODUCTION Adobe Flash applets (Shockwave Flash programs) provide web developers a superior platform for creating rich, dynamic web content such as web advertisements, online games, streaming media and interactive webpage animations, resulting in a soaring popularity of the technology on the web. Additionally, most of this content can also be made available to the desktop using the Adobe Integrated Runtime (AIR) cross-platform environment. The following statistics [7, 99] demonstrate the pervasive impact of Flash. More than 20,000 apps in mobile app stores such as Apple App Store and Google Play are created using Flash. A staggering revenue of over US$70 million per month is generated by the top nine Flash enabled games in China. Flash is used in 24 of top 25 Facebook games. Flash is the choice of technology of more than three million developers for creating interactive and animated web environments. Flash is used by 16.9% of all websites. The popularity of Flash combined with the complexity of its features has made it ex- tremely attractive to attackers. The 2013 Cisco Annual Threat Report marks Adobe Flash as the third highest in the top content types for malware distribution [20]. The 2013 Symantec Internet Security Threat Report mentions that of all plug-in vulnerabilities between 2010 and 2012, Adobe Flash Player constitutes 18%, 20%, and 22% in the years 2010, 2011, and 2012 respectively. Flash-powered attacks have successfully penetrated some of the most security- hardened facilities in the world, such as the famous 2011 penetration of RSA [68], and the massive Luckycat campaign that targeted an entire spectrum of important U.S. industries such as aerospace, energy, engineering, shipping, and military research, as well as top-level international organizations such as Indian military research institutions, and groups in Japan and Tibet [48]. 1 2 One reason Flash security is so non-trivial is because of the feature-filled complexity of the ActionScript bytecode language [6], which Flash uses internally. Like other ECMAScript languages, ActionScript includes language features such as an object model, function calls, class inheritance, compile time and run-time type checking, packages, namespaces, regular expressions, and direct access to security-relevant system resources [3]. However, unlike JavaScript, ActionScript programs are disseminated as compiled binary Flash files (.swf files) that pack images, sounds, text, and bytecode in a webpage-embeddable form, which is then seamlessly JIT-compiled and/or interpreted by the Adobe Flash Player browser plug-in when the page is viewed. This transparent purveyance of powerful binary content from Flash authors, through page publishers, to end-users educes many security threats. Security apprehensions have been further exacerbated due to the recent trend of web environments becoming aggressively heterogeneous (e.g., composed of mash-ups that mix mobile code from many mutually distrusting sources), which expand the attack vulnerability surface area. Additionally, Flash’s deployment as plug-in VM tends to widen threat windows due to patch lag. Newly discovered VM vulnerabilities are typically resolved by patches released by Adobe, but many consumers are apathetic or inattentive in downloading and installing the patches; in many large companies, older versions of the Flash plug-ins may be required for compatibility with critical business systems, creating reluctance in updating to the latest version.